Enabled — New connections are enabled by default. Clear the check box to create a disabled connection.

•

Local IP — From the drop-down list, select the local IP address that the tunnel connects to. Typically, this is one of your external IP addresses, though it is possible to select a Basic interface to create an internal tunnel.

Before you start, please be aware of the following limitation in IPSec preshared key (PSK) authentication mode: all connections from unknown IP addresses, including IPSec and L2TP roadwarriors, must use the same authentication method, and, in the case of PSK, the same secret.

In practice, this means that if you want to create a tunnel between an iPhone-compatible device and the Smoothwall, you must:

not have any L2TP or IPSec roadwarriors, as they use certificates for authentication

not have any IPSec subnet tunnels to unknown (blank) remote IPs. There is a workaround for subnet tunnels to unknown, remote IPs but the IPSec subnets would have to use PSK authentication with the same shared secret as the iPhone-compatible device.

To configure an iPhone-compatible tunnel:

1.

On the Network > VPN > Global page, configure the following settings:

Setting

Description

IPSec Road Warrior (and L2TP) Preshared Key

Preshared key – Enter a strong password which contains more than 6 characters.

Again – Re-enter the password to confirm it.

L2TP and SSL VPN client configuration settings

Enter the primary and secondary DNS settings.

2.

Click Save.

3.

Go to the Network > VPN > L2TP roadwarriors page and configure the following settings:

Setting

Description

Name

Enter a descriptive name for the tunnel. For example: CEO's iPhone.

Enabled

Select to activate the tunnel once it has been added.

Local IP

Select the external IP address to use for this tunnel.

Client IP

Enter a client IP address for this connection. The IP address must be a valid and available IP on the globally specified internal network.

Hidden network access – It is possible to create a hidden network that can only be accessed via a secure VPN tunnel. This might be useful to guarantee that certain resources can only be accessed by an exclusively authenticated member of staff. To do this, create a network that is not bridged to any other. Nominate an internal interface as a VPN gateway and set the client internal interface to the hidden network.

There is no complicated configuration process for creating such internal VPNs, the facility is provided by globally nominating an internal VPN interface and creating tunnels specifying it as its interface.

In some advanced and unusual situations, however, this feature may prevent connections, therefore, NAT-T can be disabled.

•

Enable Dead Peer Detection — Used to activate a keep-alive mechanism on tunnels that support it.

This setting, commonly abbreviated to DPD, allows the VPN system to almost instantly detect the failure of a tunnel and have it marked as Closed in the control page.

If this feature is not used, it can take any time up to the re-keying interval (typically 20 minutes) to detect that a tunnel has failed. Since not all IPSec implementations support this feature, it is not enabled by default.

In setups consisting exclusively of Smoothwall VPN gateways, it is recommended that this feature is enabled.

•

Copy TOS (Type Of Service) bits in and out of tunnels — When selected, TOS bits are copied into the tunnel from the outside as VPN traffic is received, and conversely in the other direction. This makes it possible to treat the TOS bits of traffic inside the network (such as IP phones) in traffic shaping rules within Traffic and traffic shape them.

If this option is not selected, the TOS bits are hidden inside the encrypted tunnel and it is not possible to traffic shape VPN traffic.

Note that there is a theoretical possibility that enabling this setting can be used to spy on traffic

5.

Click Save.

Note: We recommend you limit any zone bridging from the nominated interface to other interfaces.

Tunnels connecting to the nominated additional interface are assigned an IP address on the L2TP client internal interface, as shown in the L2TP settings region.

If a zone bridge is created between the additional nominated interface and the L2TP client interface, it allows the VPN to be circumvented and thus limits its usefulness.

To connect to an L2TP tunnel, a roadwarrior must be using a Microsoft operating system which is covered by the Microsoft support lifecycle.

The first step in the connection process is to run the L2TP Client Wizard. Contact your Smoothwall representative, if you do not have access to the wizard. You can download it from here. It is a freely distributable application that automates much of the configuration process.

Note:
There is an alternative configuration method that uses a command line tool, thus enabling an L2TP connection to be configured as part of a logon script. For details, see Example VPN Configurations.

To install the L2TP client:

1.

Run the L2TP Client Wizard on the roadwarrior system.

2.

View the license and click Next to agree to it.

3.

Click Browse and open the Certificate Authority certificate file as exported during the certificate creation process. Click Next.

4.

Click Go to locate and select the roadwarrior's host certificate file. This must be a PKCS#12 file, typically saved as *.p12, as exported during the certificate creation process. Enter the password and click Next.

5.

Ensure that the Launch New Connection Wizard option is selected and click Install.

6.

The wizard install the certificates. Click Finish. The Microsoft New Connection Wizard is launched.

7.

Click Next.

8.

Select Connect to the network at my workplace and click Next.

9.

Select Virtual Private Network connection and click Next.

10.

Enter a name for the connection and click Next.

11.

Enter the Smoothwall’s host name or IP address and click Next.

12.

Click Finish.

13.

In the Connect window, enter the username and password of the roadwarrior and click Connect. Ensure that the tunnel is enabled.

Note: Certain anti-malware and worm detection software may generate alerts when L2TP client connections are first established. Only UDP port 500, UDP port 4500, and ESP should flow from the roadwarrior when using a Smoothwall L2TP over an IPSEC connection. Any alerts concerning this kind of traffic can be safely ignored, and unblocked communication permitted.